WordPress 2.5.1 Malicious File Execution
Filed Under (Advisories, WordPress) by Philipp on 31 May 2008

CWH Underground have published an advisory regarding a malicious file execution vulnerability in WordPress 2.5.1.

We do not quite follow this advisory. The vulnerability discusses the idea of uploading a PHP backdoor onto a WordPress blog via the upload file facility, or via the plugin edit facility. I don’t think this is really a WordPress issue but rather the correct functionality of WordPress.

We have discussed before in our WordPress Whitepaper that the file upload facility should be restricted to trusted users only. We also recommend you reading our Role Management post.

   
Enjoy the article? Please take a second to: Digg it! | StumbleUpon it!

Comments

Joseph Scott on 2 June, 2008 at 6:44 pm #

When the first requirement is to have and administrator username and password, it’s hard to consider it much of an issue.


Abel Cheung on 2 June, 2008 at 10:20 pm #

Yes, I do agree with this conclusion as well. It all seems the advisory can be translated into one single sentence: if you blindly trust people and give them admin access, then you are b0rked.


Comment
Name:
Email:
Website:
Message: